DDoS prevention
Connection Limits
FortiAppSec Cloud
A Distributed Denial of Service attack (DDoS attack) is a cyber attack in which an attacker attempts to overwhelm a web server/site, making its resources unavailable to its intended users. Most DDoS attacks use automated tools (not browsers) on one or more hosts to generate the harmful flood of requests to a web server.
FortiAppSec Cloud allows you to configure Connection Limits at two layers:
- Application layer (HTTP or HTTPS)
- Network and transport layer (TCP/IP)
With the public cloud infrastructure affront providing the first layer of defense against volumetric attacks, FortiAppSec Cloud enhances DDoS protection by focusing on sophisticated attacks targeting the application layer, such as low and slow attacks. Together they provide protection for the full layer 3-7 DDoS attack types. Additionally, Fortinet operations team also adds network and application protection customizations in real-time to help protect against the most sophisticated DDoS threats.
To configure
Configuring application-layer DDoS prevention Connection Limits
For some
- When FortiAppSec Cloud receives the first request from any client, it adds a session cookie to the response from the web server in order to track the session. The client will include the cookie in subsequent requests.
- If a client sends another request before the session timeout, FortiAppSec Cloud examines the session cookie in the request.
- If the cookie does not exist or its value has changed, FortiAppSec Cloud drops the request.
- If the same cookie exists, the request is treated as part of the same session. FortiAppSec Cloud increments its count of connections and/or requests from the client. If the rate exceeds the limit, FortiAppSec Cloud drops the extra connection or request.
You can configure settings below to limit the number of HTTP requests and TCP connections.
|
HTTP Access Limit |
Enable to limit the number of HTTP requests per second from a certain IP. |
|
HTTP Request Limit |
Type a rate limit for the maximum number of HTTP requests per second from each source IP address that is a single HTTP client.
The rate limit should be at least 5, but could be some multiple such as 10 or 15 in order to allow 2 or 3 page loads per second from each client. It's recommended to use an initial value of 1000. |
|
Malicious IPs |
Enable to limit the number of TCP connections with the same session cookie. |
|
TCP Connection Number Limit |
Type the maximum number of TCP connections allowed with a single HTTP client. It's recommended to use an initial value of 100. |
|
HTTP Flood Prevention |
Enable to limit the number of HTTP connections with the same session cookie. |
|
HTTP Request Limit |
Type the maximum rate of requests per second allowed from a single HTTP client. It's recommended to use an initial value of 500. |
|
Challenge |
|
Configuring actions
- Select the action that FortiAppSec Cloud takes when it detects a violation of the rule from the top right corner.
To configure the actions, you must first enable the Advanced Configuration in WAF > System Settings > Settings.Alert
Accept the request and generate a log message.
Alert & Deny
Block the request (or reset the connection) and generate a log message.
Deny(no log)
Block the request (or reset the connection).
Period Block
Block the current request. Moreover, all the subsequent requests from the same client in the next 10 minutes will also be blocked.